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^Jyncndments n_>_ihe ^'MUM' 
This listing of claims replaces all prior versions and listings of claims in the application. 

f^br^oj'Ouuns: 

L ('Previously Presented) A machine implemented method o m >U\u\ u'k ow r . 
monitoring device disposed to receive network traffic packets comprises: 

producing statistics corresponding to a parameter of traffic ♦ .<.... * \oukc i *r 
attack, with producing further comprising: 

mapping the traffic Mow into a plurality ol buckets by applying s <•*- hi N n * U \ 
the parameter of the tralne flow to output an integer corresponding U o te o* ' »e f\.w\oh 

accumulating statistics from the packets; and 

comparing the number of buckets to a threshold; and 

determining whether the number of buckets should be divided into nvu- Jacket - o' 
combined into fewer buckets based on comparing the number oi buckets to <ho im>' vhl 

2. (Original) The method of claim 1 wherein the buckets are storage vas m a meim^) 

space of the monitor device. 

3. (Original) The method of claim 1 wherein as the number of buckets changes, the 
buckets have values derived iron- the buckets prior to the change. 

4. (Original) The method of claim 1 wherein the bash function adapts to map to the new 
number of buckets, art the new number of buckets changes. 



5. (Original) The method of claim 1 wherein comparing statistic values comprises: 
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of buckets. 



6. {Original) The method of claim i wherein the parameter is the count of how many 
packets a data collector or gateway examines. 

?. (Original) The method of claim 1 wherein as a value of a parameter for one bucket 
approaches a threshold, the monitoring device raises an alarm. 

%. {Original) The method of claim 1 wherein the hash function changes periodically in a 
randomly secret manner so that packets arc reassigned, to different buckets. 

9. (Original) The method of claim 1 wherein the variable number of buckets dynamically 
adjusts the amount of traffic and number of flows monitored, so that the monitoring device is not 
vulnerable to a denial of service attack against its own resources. 

10. (Original) The method of claim 1 wherein the variable number of buckets efficiently 
identities the source or sources of attack by breaking down traffic into different buckets and 
examining statistics accumulated tor a parameter and a corresponding threshold in each bucket. 

I i . (Original) The method of claim 1 wherein the traffic is monitored at multiple levels of 
granularity, from aggregate to individual Hows. 

12. (Previously Presented) The method of claim 1 wherein the method is applied to 
monitoring of TCP packet ratios and repressor traffic. 



13. (Original) The method of claim 1 wherein the threshold is a first threshold arid the 
method further comprises: 



determine mat an event. is of significance. 



14. (Original) A computer program product residing on a computer readable for 
monitoring network traffic flow in a network comprises instructions for causing a computer to: 

snap traffic flow into a plurality of buckets by applying a hash function "tfhr to a 
parameter of the traffic How io output an integer corresponding to one of the buckets: 
accumulate statistics from the packets; and 

compare the accumulated statistic values from the buckets to configured threshold values 
corresponding to the number of buckets to determine that an event is of significance; and 

adjust the number of buckets as- the number of buckets approaches a second threshold. 

1 5. (Original) 'The computer program product of claim 14 wherein based on the second 
threshold, the buckets are divided into more buckets or combined into fewer buckets 

lb. (Original) The computer program product of claim 14 wherein instructions to monitor 
further comprise instructions to 

divide the bucket into a different number of new buckets containing %'alues derived from, 
the original bucket 

1 7. (Original) The computer program product of claim 14 wherein the hash function 
adapts to map to the new number of buckets as the new number of buckets changes. 

1 8. { Original) The computer program product of claim 14 wherein the parameter is the 
count of how many packets a data collector or gateway examines. 

19. (Original) The computer program pioduet of claim ) 4 wherein the buckets arc storage 
areas -in the memory space of the monitor device. 
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Claims 22-49 are canceled, 

50. (Previously Presented) The data collector of claim 21 wherein based on the second 
threshold, the buckets are divided into more buckets or combined into fewer buckets 

51. (Previously Presented) The data collector «t claim 21 wherein instructions to monitor 
further comprise instructions to 

divide the bucket into a different number of new buckets containing values derived from 

the original bucket. 
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52. {T'revsousiy Presented) The data collector of claim 21 wherein the hash function 
adapts to map io the new number ofbuckets as the new number ofbuckets changes. 

53. (Previously Presented) The dab collector of claim 21 wherein the parameter is the 
count of how many packets the data collector examines. 

54. (Pnniously Presented) The data collector of claim 21 wherein the buckets are storage 
areas in the memory space of the monitor device. 

55. { Previously Presented) The data collector of claim 2 i wherein the bash function 
changes periodically in a randomly secret manner so that packets are reassigned to different 

buckets, 

■^(i < p-evoi^b Pn\>enied5 { he data collect™ id eluun 7 t v\he:em e'vns V e<>'icwtc 
rtjt.suc >■ . ne* <.eripf^cs .ustiuet fuv v 

vvmpaie ise ^ iiut a^j-ukned m the bucket U> a Uucn:i-, \l V.uil dc<vrc\ on k k - mi timer 
ot bueko? ^ 

57. (Previously Presented) The data collector of claim 21 wherein as a value of a 
parameter for one bucket approaches a threshold, the monitoring device raises an alarm. 

58. {Previously Presented) The data collector of claim 21 wherein the variable number of 
buckets dynamically adjusts the amount of traffic and number of flows monitored, so thai the 
data collector is not vulnerable to a denial of service attack against r» own ♦e^ui.es. 

59. (Previously Presented) The data collector of claim 2 1 wherein the \ .^.ahle imujrv* o: 
buekoiis efficiently identities the source or sources of attack by break mj. dowr 'ratftc into 
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different bucket? and examining stutksUes accumulated h> a pAr.tmetci arc - c«m respond m* 
threshold in each bucket. 

60. (Previously Presented) The data collector of dsn;- _ N \xhcKHi :he ir.ufk h momtofcV 
at multiple levels of granularity, from aggregate to ntdn toual ilow.s 

61 . i Previously Pre.seTU.ctI) The dam collects of elan* ; ; w he em tV v :\u< ts .^pheo. :o 
monitoring oi TOP pocket ratios and repressor traffic. 
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63. (Currently Amended) A. method of monitoring traffic flow in. a monitor device 
disposed to receive network ttaf&fc pack ets, the method comprises: 

producing statistics corresponding to a parameter of the traffic flow io trace a tho source 
of:?;- attack, with producing tun her comprising: 

snapping the traffic flow into a plurality of buckets: 

v arying the number of buckets according to the amount of traffic and number of flows 
acco r d ing to breakdown traffic Dow into different buckets; and 

analyzing <?xt*mim?vg statistics accumulated for a parameter and a corresponding 
threshold m Use bucket Jo|dcujd\ jjK^ouivc of the uttayk. 

64. (Previously Presented) The method of claim 63 wherein varying varies the number of 
buckets so that die monitoring device is not vulnerable to DoS attacks against its own resources. 

65. (Previously Presented) 'The method of claim 63 wherein varying the number of 
buckets comprises: 
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comparing the number of buckets to a threshold number of buckets; 

dcterjT\ining whether the number of buckets should be divided into more buckets or 
combined into fewer buckets based on comparing the number of buckets to the threshold and as 
the number of buckets changes, (he buckets have values derived trow the buckets prior to the 

change, 

0^ i Pvvi ^ 'ViUiftJ She i-vi u< 1 ot e. Lin o i <•> Ik v.m i rf lo i m <» 
v vi,paiK)^ < . iv n lc \t V \ alias 'r» n trie b \ 1 Us <-tv«.vd I ,M\\>! ^ a 0 es i<> 
detur f »i H ' c <.rt i'so, , ,_a ru k.l 

o" tP ^ a isK P si*! nc.boii > ehu.n ' * w vieu. v 
cerawnscs: 

<kv a .!><k i i 1 s !> I on h>. packet m> 
n s v v ri *L 1 jir ki, \v o cl. if 'he btn.KC' 1 - s hu-n t 

of buckets. 

oS. (Previously Presented) The method of claim 63 wherein the variable number of 
buckets dynamically adjusts the amount of traffic and number of flows monitored, so thai the 
monitoring device is not vulnerable to a denial of service attack against its own resources. 

6V. {Previously Presented) The method of claim 6? wherein the buckets are storage areas 
in a memory space of the monitor device and mapping the traffic flow into a plurality of buckets 
comprises: 

ain'lupi. .i hash funui m "fth) ' to the parameter of the traffic How to output an integer 
c> -~espor dsr _ to one of rite bucket 



L n d \i i\> xr > s u 1 vjn ixr 



Applicant : Thomas Michael (hi et ai. Attorney's Docke; No.: S.222J-0070QI 

Serial No. : mm i .223 

Filed : August 16,2001 

Page : 9 of I ] 



70. (Currently Amended) A computer program product residing on a computer readable 
medium for monitoring traffic How in a monitor device disposed to receive network n ; a#k 
packets,, the co mputer program product comprises instructions for causing the device to. 

produce statistics corresponding to a parameter of the traffic flow to trace a ike source of 
an attack, with producing further comprising: 

map the traffic flaw into a plurality of buckets; 

vary the number of buckets according to the amount of traffic and number of flows 
a-^\>r4m-g to backdown the traffic flow into different buckets; and 

<3rMyif£ ^amiftifl^ statistics accumulated for a parameter and a corresponding threshold 
m the bucket to identif y a source of the attack. 

71 . (Previously Presented) The computer program product of churn 70 wherein 
instructions to vary, vary the number of buckets so that the monitoring device is not vulnerable 
to DoS attacks against its own resources. 

72. (Previously Presented) The computer program, product of claim 70 wherein 
instructions to vary comprises instructions to: 

compare the number of buckets to a threshold number of buckets; 

determine whether the number of buckets should be divided into more buckets or 
combined into fewer buckets based on comparing the number of buckets to the threshold and as 
the number of buckets changes, the buckets have values derived from the buckets prior to the 
change, 

73. (Previously Presented) The computer program product of claim 70 further comprising 

instructions to: 

compare accumulated statistic values from the buckets to second threshold values to 
determine that as event is of significance. 
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74 (Previously Presented} The computer program product of claim 70 wherem 
instructions to compare statistic values comprises instructions to: 
accumulate statistic values from the packets; and 

compare the values accumulated in the buckets to lhic\ln>Ufe that depend on the uumivi 

of buckets. 

75. (Previously Presented) The computer program product of claim 70 wherein the 
variable number of buckets dynamically adjusts the amount of traffic and number of flows 
monitored, so thai the monitoring device is not vulnerable to a denial of service attack against its 

76. (Previously Presented) The computer program product of claim 7U wherein the 
buckets arc storage areas in a memory space of the monitor device and instruction:* to map the 
traffic flow into a plurality of buckets comprises instructions to: 

apply a hash function 'ithr to the parameter of the traffic flow to output an integer 
corresponding to one of the buckets. 

77. (Previously presented) The data collector of claim 21 further comprising: 
a port to link the data collector to a central control center. 



